An Adaptive and Cost-Based Intrusion Response System

ABSTRACT An Adaptive and Cost-Based Intrusion Response System (ACBIRS) is presented in this paper. The designed system analyzes alerts from the Intrusion Detection System (IDS) and evaluates the attack cost, based on the probable damage of attacks on the protected system. Later on, a response is deployed to thwart the attack and prevent the attacker from reaching his/her goals. The proposed response selection approach is a cost-based method that considers attack features, including type of the attack, severity of the attack, value of targeted host/hosts services, and their data to prioritize alerts. Alerts will be responded with respect to their priorities. The selected responses are based on a measure called Response Merit (RM). The balance between attack damage cost, response cost together with the effectiveness of the response to countermeasure previous attacks determine the RM. In contrast to other Intrusion Response Systems (IRS), ACBIRS not only consists of the attack and response measures but also includes response feedback supervision that is proposed in this paper for the first time. ACBIRS allows responses to be adaptive in changing environments through success and failure assessment of previously deployed responses. Experiments show that ACBIRS can successfully prevent 92% of intrusions with only 3% disruption on benign traffic.

[1]  Mohamed Hamdi,et al.  A new genetic algorithm approach for intrusion response system in computer networks , 2009, 2009 IEEE Symposium on Computers and Communications.

[2]  Peter Martini,et al.  Graph based Metrics for Intrusion Response Measures in Computer Networks , 2007, 32nd IEEE Conference on Local Computer Networks (LCN 2007).

[3]  Nora Cuppens-Boulahia,et al.  A Service Dependency Model for Cost-Sensitive Intrusion Response , 2010, ESORICS.

[4]  Feng Gao,et al.  NAIR: A novel automated intrusion response system based on decision making approach , 2010, The 2010 IEEE International Conference on Information and Automation.

[5]  Johnny S. Wong,et al.  A Framework for Cost Sensitive Assessment of Intrusion Response Selection , 2009, 2009 33rd Annual IEEE International Computer Software and Applications Conference.

[6]  Johnny S. Wong,et al.  A Cost-Sensitive Model for Preemptive Intrusion Response Systems , 2007, 21st International Conference on Advanced Information Networking and Applications (AINA '07).

[7]  Haifeng Liu,et al.  Analysis of Response Factors in Intrusion Response Decision-Making , 2010, 2010 Third International Joint Conference on Computational Science and Optimization.

[8]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[9]  Johnny S. Wong,et al.  A taxonomy of intrusion response systems , 2007, Int. J. Inf. Comput. Secur..

[10]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[11]  Michel Dagenais,et al.  Intrusion Response Systems: Survey and Taxonomy , 2012 .

[12]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[13]  Yingjiu Li,et al.  An intrusion response decision-making model based on hierarchical task network planning , 2010, Expert Syst. Appl..

[14]  Yu Guo,et al.  The Research on Enhanced Cost-Based Auto Intrusion Response Decision , 2009, 2009 5th International Conference on Wireless Communications, Networking and Mobile Computing.

[15]  Ali A. Ghorbani,et al.  Toward developing a systematic approach to generate benchmark datasets for intrusion detection , 2012, Comput. Secur..

[16]  Eugene H. Spafford,et al.  ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[17]  O. B. Lawal,et al.  Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware , 2013 .

[18]  Karl N. Levitt,et al.  Using Specification-Based Intrusion Detection for Automated Response , 2003, RAID.

[19]  Johnny S. Wong,et al.  Intrusion response cost assessment methodology , 2009, ASIACCS '09.